Cloud Computing Prompts Push for Privacy Law Rewrite

The Electronic Communications Privacy Act, signed into law nearly a quarter century ago, has fallen out of step with the way information is shared and stored on the cloud, according to the Digital Due Process coalition.

WASHINGTON -- Members of a broad coalition advocating an overhaul of a more than two-decades-old privacy law took to Capitol Hill Friday afternoon, convening a briefing for congressional staffers to champion the cause.

They argued that the Electronic Communications Privacy Act, or ECPA, has fallen lamentably out of step with the way that people are using computers and the Internet, particularly with regard to cloud computing and location-based services.

ECPA, signed into law in 1986, established a procedural framework for law enforcement authorities to obtain wire and electronic information, including files stored on a computer.

But in the age of the cloud, when users' e-mail, documents and social networking information are scattered on far-flung corporate servers, a law governing access to online data conceived at a time when few outside of the research and defense communities had heard of the Internet is in sore need of an update, according to the Digital Due Process coalition.

"ECPA is difficult to explain to our users and it's difficult for us to apply," said Will DeVries, a policy counsel with Google (NASDAQ: GOOG) who focuses on privacy issues. "This confusion and the costs associated with it really for us is really undermining the growth of our services and the growth of the cloud."

The coalition, formally launched in late March, is comprised of a broad range of often feuding companies and advocacy groups. Digital Due Process counts Google foes Microsoft (NASDAQ: MSFT) and AT&T (NYSE: T) as members, for instance, as well as consumer advocates and libertarian organizations from across the political spectrum.

"We had a great left-right group," said Greg Nojeim, senior counsel at the Center for Democracy and Technology, which began working to build the coalition three years ago.

In addition to Hill staffers, representatives of the coalition have briefed officials at the Departments of Justice and Commerce, the White House and the Federal Trade Commission. They are scheduled to meet with attorneys from the intelligence community next week.

A House Judiciary Committee subcommittee held a hearing earlier this month on updating the statute and Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) has said that he plans to hold a hearing on the issue this year.

But with the number of working days dwindling before Congress breaks for the midterm elections, the group isn't expecting to score a legislative win this year.

"What we envision is a process that will extend into the next session of Congress when we get a chance to talk about this with law enforcement," Nojeim said. "We want to get it right."

Specifically, the coalition is urging a revision of the statute to require law enforcement authorities to demonstrate probable cause and obtain a search warrant from a judge before gaining access to information covered under ECPA, such as data stored on a company's servers. Under the current law, authorities have been able to access a company's sensitive data using only a subpoena issued by a prosecutor.

The update the group would like to see would establish that same protection for location-based data associated with mobile devices, regardless of whether it was obtained using GPS technology or cell-tower triangulation.

Broadly, the Digital Due Process coalition is aiming to simplify what it sees as an overly complex law and level the playing field so that all information would be covered by the same privacy safeguards.

"It shouldn't matter if you're working on your computer to save a document or if you're saving it in the cloud," Nojeim said, arguing for a policy of "technology and platform neutrality."

By setting different protections for data stored on personal computers and company servers, ECPA has generated considerable uncertainty among businesses that operate in the cloud. Yahoo (NASDAQ: YHOO), for instance, recently fought off an effort by the Department of Justice to obtain a user's e-mails without a warrant under provisions of the Stored Communications Act, a component of ECPA. Digital Due Process members filed an amicus brief on Yahoo's behalf in that case.

But bringing ECPA into step with the cloud era isn't just about protecting consumers, the group argues. The uncertainty of the statute's implications on remotely stored data has deterred some enterprises from moving their IT operations to the cloud. It's no wonder then that Salesforce (NYSE: CRM), one of the premiere cloud-based firms catering to the enterprise market, is also a member of the Digital Due Process coalition.

"This is actually a very common complaint amongst our enterprise customers. We hear this a lot. People say, 'Well, we're interested in moving to the cloud, but we're not sure how this is going to work when we get a request for our records,'" said Google's DeVries. "We are trying to bring some clarity to a process that has not had much clarity in the past."

Enterprise Applications: What Businesses Need to Know
An expert panel discusses current trends in enterprise applications, providing advice for businesses looking to refresh their portfolio of enterprise apps.WATCH NOW »